Tracking the active torrenting in North Korea reveals some interesting things. Someone really loves Modern Family, but this also reveals more about the devices inside of North Korea based on the drivers they are downloading:
Here’s a list of the most common IP’s that have been torrenting in the last few months:
175.45.177.173
175.45.177.180
175.45.177.184
175.45.177.186
175.45.178.17
175.45.178.19
175.45.178.21
175.45.178.23
175.45.178.25
175.45.178.31
175.45.178.102
175.45.178.115
Open index found on https://175.45.178.131. Nothing interesting in the certificate. Looks like a few php frameworks.
Anyone interested in teaching in North Korea? https://yustpust.org
The YUST PUST Foundation has some openings listed under the Get Involved section. Curiously enough they have an address at a PO Box in Illinois
North Korea has a lot of ports open on port 8080, but I’m thinking those aren’t proxies…
Anyone know what they are? My best guess is bitcoin mining pools: https://news.bitcoin.com/north-korea-begins-bitcoin-mining-operation/
At times someone from a North Korean address has edited the following Wikipedia pages:
175.45.176.130
This one seems a little serious
User talk:Jimbo Wales: https://en.wikipedia.org/wiki/index.php?curid=9870625&diff=prev&oldid=614463449
175.45.176.135
SD Card- https://secure.wikimedia.org/wikipedia/en/wiki/index.php?curid=315794&diff=prev&oldid=608633609
175.45.176.140
Someone feels strongly about CMS’s
Content Management System- https://en.wikipedia.org/wiki/index.php?curid=75885&diff=prev&oldid=449076598
Mobile country code- https://secure.wikimedia.org/wikipedia/en/wiki/index.php?curid=6855629&diff=prev&oldid=534160820
New Asian–African Strategic Partnership- https://en.wikipedia.org/wiki/index.php?curid=37183551&diff=prev&oldid=583476306
Skyline- https://en.wikipedia.org/wiki/index.php?curid=26949434&diff=prev&oldid=578541976
User:Fisherjs- https://en.wikipedia.org/wiki/index.php?curid=5071547&diff=prev&oldid=500394392
175.45.176.143
Aron da Silva- https://en.wikipedia.org/wiki/index.php?curid=30183322&diff=prev&oldid=637412128
175.45.176.144
The Eternal Champion- https://en.wikipedia.org/wiki/index.php?curid=4935162&diff=prev&oldid=568064567
Real-time Transport Protocol- https://en.wikipedia.org/wiki/index.php?curid=26163&diff=prev&oldid=597787522
Looks like there’s an open mail relay hosted in the DPRK. Masked the domain for privacy reasons. Only resolves to DPRK domains.
Resolving hostname…
Connecting…
Connection: opening to smtp.XXXXXX.kp:25, timeout=300, options=array (
)
Connection: opened
SERVER -> CLIENT: 220 mail.star-co.net.kp ESMTP Postfix
CLIENT -> SERVER: EHLO tools.wormly.com
SERVER -> CLIENT: 250-mail.star-co.net.kp
250-PIPELINING
250-SIZE 1000000000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
CLIENT -> SERVER: MAIL FROM:
SERVER -> CLIENT: 250 2.1.0 Ok
CLIENT -> SERVER: RCPT TO:
SERVER -> CLIENT: 250 2.1.5 Ok
CLIENT -> SERVER: DATA
SERVER -> CLIENT: 354 End data with .
CLIENT -> SERVER: Date: Mon, 29 Apr 2019 02:58:14 +0000
CLIENT -> SERVER: To: flph@star-co.net.kp
CLIENT -> SERVER: From: Wormly SMTP Test
CLIENT -> SERVER: Subject: Wormly SMTP Test Message
CLIENT -> SERVER: Message-ID: <513d1d6870dbfc59c46586d3494dcc8c@blog.wormly.com>
CLIENT -> SERVER: MIME-Version: 1.0
CLIENT -> SERVER: Content-Type: text/plain; charset=iso-8859-1
CLIENT -> SERVER:
CLIENT -> SERVER: This message was sent using the Wormly SMTP testing tool by this user:
CLIENT -> SERVER: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
CLIENT -> SERVER: 185.210.218.100
CLIENT -> SERVER:
CLIENT -> SERVER: .
SERVER -> CLIENT: 250 2.0.0 Ok: queued as 5AF6222C37A4
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: 221 2.0.0 Bye
Connection: closed
Message completed successfully.
well this makes things a little easier: http://dprkportal.kp/index.php
Not sure if this deserves a regular page yet, but a list of sites that are hosted outside of the NK address space:
http://www.ournation-school.com/
http://pyongyang.news-site.net/
http://tptloffice.com/content/first.html
http://www.phoenixcommercialventures.eu/
http://pyongyang.news-site.net/
For the past few months, I’ve been working on scans from a VPS against the North Korean IP space to watch as different sites come online. I’ve got a decent scan that runs now but still needs some work. Below is what I’ve found but there is still a lot more digging to be done on the sites, but I wanted to at least start getting this information online and work on categorizing it better later:
Default Red Hat server with an Apache test page.
Open ports for each host:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
3306/tcp open mysql
4444/tcp filtered krb524
6000/tcp open X11
The banner reported for them as well shows as Red Hat, as opposed to Red Star Linux, which show up in some of the other hosts scanned: Apache/2.2.15 (Red Hat)
Network Gear:
175.45.178.142
Websites:
175.45.178.178
This is one that I always keep coming back to whenever it appears online. It looks like it is a North Korean security tool of some kind. The only information that I’ve been able to gather is in the following:
# wget –no-check-certificate https://175.45.178.178
–2015-07-05 01:10:06– https://175.45.178.178/
Connecting to 175.45.178.178:443… connected.
WARNING: cannot verify 175.45.178.178’s certificate, issued by “/C=XX/ST=XX/L=XX/O=NeoTech/OU=Secure Team/CN=NetRadar/emailAddress=nsd@neotech.com”:
Self-signed certificate encountered.
WARNING: certificate common name “NetRadar” doesn’t match requested host name “175.45.178.178”.
HTTP request sent, awaiting response… 200 OK
Depending on the country you are connecting in from you are Rodong will load from a different IP. Connecting from Romania produced 175.45.177.78 and Canada 175.45.176.68
Other than the fact that any picture of a crowd looks Photoshopped, you can also track Supreme Leaders activity. Site runs on Red Star 3.0: Apache/2.2.15 (RedStar 3.0)
http://www.chosunexpo.com/expo_en/
Website of a software development company founded in 2002. Focuses on mobile and web apps, games, and applications.
175.45.176.67
There’s a lot of different domains for this address. It hosts a news site Naenara but there are several other domains associated with it as well:
175.45.176.79
Website of Kim Il Sung University. Haven’t had too much of a chance to dig into this site yet, seems pretty straightforward though.
Scan results are below. Still working on tweaking the scan a little bit to get some more information.
North Korean Internet 